Merge pull request #90822 from deads2k/csr-separate-signer-flags-02

allow setting different certificates for kube-controller-managed CSR signers Kubernetes-commit: 05f6812c2da4c3af8d133159c06546f464b2d63f
2020-07-18 03:10:50 -07:00 · 2020-07-18 03:10:50 -07:00 · 682bd81d38
parent 50790d8e70 d98570aa02
commit 682bd81d38
5 changed files with 43 additions and 3 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -540,7 +540,7 @@
 		},
 		{
 			"ImportPath": "k8s.io/api",
-			"Rev": "801f67dca416"
+			"Rev": "0bfda2331c3c"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery",
--- a/config/v1alpha1/types.go
+++ b/config/v1alpha1/types.go
@ -246,11 +246,31 @@ type CSRSigningControllerConfiguration struct {
 	// clusterSigningCertFile is the filename containing a PEM-encoded
 	// RSA or ECDSA private key used to issue cluster-scoped certificates
 	ClusterSigningKeyFile string
+
+	// kubeletServingSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kubelet-serving signer
+	KubeletServingSignerConfiguration CSRSigningConfiguration
+	// kubeletClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client-kubelet
+	KubeletClientSignerConfiguration CSRSigningConfiguration
+	// kubeAPIServerClientSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/kube-apiserver-client
+	KubeAPIServerClientSignerConfiguration CSRSigningConfiguration
+	// legacyUnknownSignerConfiguration holds the certificate and key used to issue certificates for the kubernetes.io/legacy-unknown
+	LegacyUnknownSignerConfiguration CSRSigningConfiguration
+
 	// clusterSigningDuration is the length of duration signed certificates
 	// will be given.
 	ClusterSigningDuration metav1.Duration
 }

+// CSRSigningConfiguration holds information about a particular CSR signer
+type CSRSigningConfiguration struct {
+	// certFile is the filename containing a PEM-encoded
+	// X509 CA certificate used to issue certificates
+	CertFile string
+	// keyFile is the filename containing a PEM-encoded
+	// RSA or ECDSA private key used to issue certificates
+	KeyFile string
+}
+
 // DaemonSetControllerConfiguration contains elements describing DaemonSetController.
 type DaemonSetControllerConfiguration struct {
 	// concurrentDaemonSetSyncs is the number of daemonset objects that are
--- a/config/v1alpha1/zz_generated.deepcopy.go
+++ b/config/v1alpha1/zz_generated.deepcopy.go
@ -41,9 +41,29 @@ func (in *AttachDetachControllerConfiguration) DeepCopy() *AttachDetachControlle
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CSRSigningConfiguration) DeepCopyInto(out *CSRSigningConfiguration) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CSRSigningConfiguration.
+func (in *CSRSigningConfiguration) DeepCopy() *CSRSigningConfiguration {
+	if in == nil {
+		return nil
+	}
+	out := new(CSRSigningConfiguration)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CSRSigningControllerConfiguration) DeepCopyInto(out *CSRSigningControllerConfiguration) {
 	*out = *in
+	out.KubeletServingSignerConfiguration = in.KubeletServingSignerConfiguration
+	out.KubeletClientSignerConfiguration = in.KubeletClientSignerConfiguration
+	out.KubeAPIServerClientSignerConfiguration = in.KubeAPIServerClientSignerConfiguration
+	out.LegacyUnknownSignerConfiguration = in.LegacyUnknownSignerConfiguration
 	out.ClusterSigningDuration = in.ClusterSigningDuration
 	return
 }
--- a/go.mod
+++ b/go.mod
@ -10,7 +10,7 @@ require (
 )

 replace (
-	k8s.io/api => k8s.io/api v0.0.0-20200712171229-801f67dca416
+	k8s.io/api => k8s.io/api v0.0.0-20200717102341-0bfda2331c3c
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20200712171229-2c8b1211fea9
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20200712171229-b501d6e7bb38
 	k8s.io/component-base => k8s.io/component-base v0.0.0-20200712171229-fbdbc959442e
--- a/go.sum
+++ b/go.sum
@ -352,7 +352,7 @@ honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
-k8s.io/api v0.0.0-20200712171229-801f67dca416/go.mod h1:cxPAYAuEKCBUKMa/dalW3GjafStRSFWZWTXwOZgIXnk=
+k8s.io/api v0.0.0-20200717102341-0bfda2331c3c/go.mod h1:cxPAYAuEKCBUKMa/dalW3GjafStRSFWZWTXwOZgIXnk=
 k8s.io/apimachinery v0.0.0-20200712171229-2c8b1211fea9/go.mod h1:eHbWZVMaaewmYBAUuRYnAmTTMtDhvpPNZuh8/6Yl7v0=
 k8s.io/client-go v0.0.0-20200712171229-b501d6e7bb38/go.mod h1:7gHvVeNy1/JusCvd7hH3HRdXnR5GB62B0Hjx0oLfO20=
 k8s.io/component-base v0.0.0-20200712171229-fbdbc959442e/go.mod h1:Z8OBVfkslH5ZtBMPGISW/vbVoiJq9aI/sbcdXGz7Wlw=